Comments on: Remote Entropyhttps://blog.mozilla.org/warner/2014/03/04/remote-entropy/
Just another Blog.mozilla.com siteWed, 23 Jul 2014 11:58:17 +0000hourly1http://wordpress.org/?v=4.1By: Squintzhttps://blog.mozilla.org/warner/2014/03/04/remote-entropy/#comment-23501
Sat, 08 Mar 2014 22:38:27 +0000http://blog.mozilla.org/warner/?p=189#comment-23501Brian, nice write up you did here. As you mentioned a HWRNG is the best way to feed the entropy. We recently started selling the TrueRNG (http://www.ubld.it/rng). I’d love for you to try it and give us some feedback.
]]>By: Chris Taylorhttps://blog.mozilla.org/warner/2014/03/04/remote-entropy/#comment-23345
Wed, 05 Mar 2014 02:51:43 +0000http://blog.mozilla.org/warner/?p=189#comment-23345Cool glad I could add to the conversation
]]>By: warnerhttps://blog.mozilla.org/warner/2014/03/04/remote-entropy/#comment-23343
Wed, 05 Mar 2014 00:46:40 +0000http://blog.mozilla.org/warner/?p=189#comment-23343Yup, PBKDF (or other key-stretching) applied to every output of the RNG would increase Eve’s work-factor (how much CPU time she needs to test each guess). You have to do it on every single output, though: if you let a single non-stretched output slip by, Eve gets to make the cheaper attack. So it’s probably necessary to do the stretching in-kernel. And kernel devs tend to be sticklers about performance: I believe the linux RNG uses a non-cryptographic hash function (Mersenne Twister) in the interests of speed. So I wouldn’t expect to see a CPU-intensive key-stretching operation appear there any time soon.

Although, it might be interesting to consider a one-time big stretch, sometime during system boot, at some point when there’s *some* uncertainty that hasn’t yet been revealed to the outside world (timing noise?).